class-map type inspect statement with out match statement

Unanswered Question
Oct 28th, 2008
User Badges:

In a ZBF (IOS 12.4(20)T1, what happens if the following class-map is used in a policy which is tied to a zone pair and an interface, but the class-map does not have a "match" statement under it? Is the default to drop all since there is no match? Or since there is a "match-any" statement, does it pass all traffic? This was set up automatically by SDM 2.5 and I'm trying to figure out what will happen here?


class-map type inspect match-any no-match


class-map type inspect match-all willwork

match class-map no-match

match access-group 110


policy-map type inspect whathappens

class type inspect willwork

inspect

class class-default

drop


zone security in

zone security out


zone-pair security out-self source out destination self

service-policy type inspect whathappens


interface GigabitEthernet 0/0

description Untrusted

zone-member security out



Thanks,

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marwan ALshawi Tue, 10/28/2008 - 19:45
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

as long as the class dose not have match

no action will be taken until the match occuer

so nothing will happen


to make sure

do show policy-map whathappens interface GigabitEthernet 0/0

and see the matched traffic

it show 0

good luck

if helpful Rate

sdniel Wed, 10/29/2008 - 07:36
User Badges:

When you say "nothing will happen", are you saying it will "pass" all traffic or "drop" all traffic?

Marwan ALshawi Wed, 10/29/2008 - 14:46
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

actually it will not pass or drop


the logic is

the calss map do matching then if there any match happend then the policy map that associated with this class will look what action configured to be taken

in ur case nothing will be match so the next stage which is the action stage will not be considered


hope this helps

sdniel Thu, 10/30/2008 - 07:07
User Badges:

So in this case, since class-map no-match is nested within class-map willwork, which has a match-all statement match class-map no-match "anded" with access list 110, does the policy whathappens inspect packets for only access-group 110? Wou8ld the result be the same if class-map no-match did not exist at all? You state that is does not pass or drop packets, so what does it do with them?

Actions

This Discussion